DDoS and the Cloud: Sad but True

Amazon EC2 customers recently suffered from a concerted Distributed Denial of Service (DDoS) attack that caused some consternation for the web-based code hosting service Bitbucket (news courtesy of my favorite IT tabloid, The Register). An unfortunate fact of life about the massive DDoS such as Bitbucket appears to have suffered is that there is no defense once the incoming network pipes are full other than shutting off the DDoS.

Trend Micro has to wrestle with DDoS attacks as part of our antivirus business as well as our hosted security business (shameless sales plug: check out InterScan Hosted Messaging Security for hosted/SaaS email security offerings). I checked with some of our CTOs and architects to get their thoughts on the Bitbucket episode, and got an education on the tough problem that is posed by DDoS.

Vendors and Software-as-a-Service(SaaS)/Infrastructure-as-a-Service (IaaS) providers can use smoke and mirrors to protect themselves from negative news, but from a technology perspective there is no defense once the incoming network has been saturated by a DDoS attack. While there is no way to “architect” to avoid DDoS attacks, you can architect to mitigate attacks. This is not something that you “set and forget” but is more about developing good working relationships with upstream providers and working with them in real-time to mitigate attacks.

Most network countermeasures cannot protect against DDoS attacks as they cannot stop the deluge of traffic and typically cannot distinguish good content from bad. Intrusion Prevention Systems (IPS)are effective if the attacks are identified and have pre-existing signatures but are ineffective if there is legitimate content with bad intentions. Similarly, firewalls typically have simple rules that allow or deny protocols, ports or IP addresses. DDoS attacks easily bypass firewalls and IPS devices since they are designed to send legitimate traffic, such as HTTP requests to a web server, and attacks generate so much traffic from so many distinct hosts that a server, or more often its internet connection, cannot handle the traffic.

While I suspect this sort of attack will be relatively rare since most attacks today are undertaken to make an illicit profit and DDoS are generally conducted for notoriety or revenge, they still present a concern for customers, IaaS vendors and ISPs alike. Whichever bad guy compromised the machines used in this DDoS attack just identified those compromised machines, and ISPs will have to start the painful task of notifying their subscribers or shutting down the compromised machine. ISPs notifying thousands of subscribers will not be done quickly or easily.

All of this is irrelevant if you are deploying a non-mission critical application into the cloud. You can head to the pub until the DDoS attack blows over and your app is accessible.

The story is different if you’re deploying a mission-critical application into the cloud because you need to architect the application for resilience from Day 1. That means spreading the application among multiple IaaS providers and replicating data between those IaaS providers. That also means dealing with the challenge of latency between different IaaS providers. Cloud computing and SaaS/IaaS is great stuff, but enterprises & application architects need to think carefully about security before flying into the cloud.